As cyber attacks against U.S. government and private networks have increased in severity in recent years, the Congress and President have actively sought to identify, with the assistance of the U.S. private sector, conditions in U.S. law that could be hampering America’s development of an effective defense against such attacks, and to change those conditions in ways that preserved, as much as possible, legal provisions intended to protect privacy and civil liberties interests.
Congress has passed legislation to change statutory provisions that had an unintended effect of hindering the government’s or private sector’s ability to identify and defend against these attacks. The two most recent Congresses passed at least five major pieces of cybersecurity legislation that the President signed into law. Although “[m]ore than 50 statutes address various aspects of cybersecurity,” according to Congressional Research Service, we can expect more. Members of Congress continue to introduce numerous bills addressing cybersecurity issues. A search of the Congress.gov legislation database reveals that over 200 bills containing the word “cybersecurity” were introduced during the current Congress and that ten of them have become law.
The President issued Executive Order 13626 in 2013 to improve cybersecurity for critical infrastructure, and Executive Order 13691 in 2015 to promote the sharing of cybersecurity information among private industry.
Both Congress and the President sought to improve cybersecurity capabilities by eliminating or amending those existing legal provisions that prohibited—or could be read to prohibit—private industry or the government from conducting monitoring activities to identify incoming cyberattacks, as well as from sharing information about cyber threats or attacks. For example, Section 104 of the Cybersecurity Information Sharing Act of 2015 (CISA) addressed monitoring restrictions in the Electronic Communications Privacy Act by allowing a company to monitor its own information systems as well as those of others with their authorization and consent, “[n]otwithstanding any other provision of law,” if it did so for cybersecurity purposes.
Other legal changes addressed statutory provisions that had been enacted to protect privacy interests by restricting the sharing of information, but which hindered the ability of companies and the government to share cyber threat indicators. The changes allow for increased sharing for cybersecurity purposes but maintain protections for privacy and civil liberties interests.
CISA Section 104, for example, also permits private companies to share cyber threat indicators provided it first removes any “personal information of a specific individual or information that identifies a specific individual” that is not directly related to the threat. The Attorney General (AG) and Secretary of Homeland Security are required to work together to promulgate policies and procedures requiring federal departments and agencies that receive cyber threat indicators from private entities to conduct their own review to identify “personal information of a specific individual or information that identifies a specific individual.” They must also identify information protected by “otherwise applicable privacy laws that is unlikely to be directly related to a cybersecurity threat.” The AG and DHS Secretary are also charged to develop, in consultation with the heads of appropriate Federal entities, designated privacy and civil liberties officers, and the private sector, guidelines for federal agencies to protect privacy and civil liberties interests in their handling of shared cyber threat indicators.
The law was also changed to address business-related legal concerns by exempting the sharing of cybersecurity information from antitrust laws; providing protections for proprietary information and trade secrets; exempting shared information from federal, state, and local disclosure laws; preserving privileges; and providing protection against lawsuits based on monitoring an information system and sharing cyber threat indicators or defensive measures.
While Congress and the President have removed some legal obstacles to enhanced cybersecurity cooperation between the U.S. private sector and government, they did not compel cooperation; a private company’s sharing of cybersecurity information with the federal government remains a voluntary act. Any private company that declines to do so is shielded and may not be sued for making that choice. In addition, the changes to U.S. laws may not affect anti-cooperation ideologies held by some consumers or leaders in the United States IT sector. Nor do they change foreign legal regimes that may still limit information sharing, such as those in Europe. Therefore, U.S. companies, especially those with a global market, still face some business risk if they share cybersecurity information with the federal government.
Further, changes in U.S. laws do not appear to have changed anti-cooperation attitudes within some portions of the U.S. IT sector. This is evidenced by Apple, Inc.’s development and marketing of iPhones designed to frustrate judicially-authorized, Constitutionally-valid government searches, and its opposition to a court order that it provide reasonable assistance to the FBI’s efforts to access information on an iPhone used by an individual suspected of the murder of over a dozen people in San Bernardino, California.
We will have to wait and see whether the changes in U.S. law that cleared some legal obstacles to increased sharing of cybersecurity information actually results in a closer and more effective government-private sector working relationship and a more robust defense against cyberattacks.